Lines 643-683javascript
645- Fast-bail: if Diff Scope contains no QA-relevant files, output {"verdict":"APPROVE","notes":"out of scope: QA"} immediately.
646- APPROVE: lint/tests/typecheck pass and no actionable bugs.
647- APPROVE_WITH_NOTES: quality gates pass but include non-blocking advisories in notes.
648- REVISE: any gate fails or actionable bugs are found; include failing commands and affected file paths in notes.
649- Final output: output exactly one trailing JSON object on the final line (no markdown fences, no surrounding prose):
650{"verdict":"APPROVE|APPROVE_WITH_NOTES|REVISE","notes":"..."}`
653 id: "security-audit",
654 name: "Security Audit",
655 description: "Check for common security vulnerabilities and anti-patterns",
656 category: "Security",
658 toolMode: "readonly",
659 prompt: `You are a security auditor. Review the task changes for common security vulnerabilities.
6621. **Injection vulnerabilities** \u2014 Check for SQL injection, command injection, XSS via unsanitized user input
6632. **Secrets and credentials** \u2014 Ensure no hardcoded passwords, API keys, tokens, or private keys
6643. **Unsafe eval** \u2014 Check for eval(), new Function(), or similar dangerous patterns
6654. **Path traversal** \u2014 Verify file path handling prevents directory traversal attacks
LowEval
Package source references a known benign dynamic code generation pattern.
dist/chunk-AWKNRUOR.jsView on unpkg · L663 6665. **Insecure deserialization** \u2014 Check for unsafe parsing of untrusted data
6676. **Authentication/Authorization** \u2014 Verify access controls are properly implemented
6687. **Dependency risks** \u2014 Note any new dependencies that might have known vulnerabilities
671- All modified files in the task
672- Configuration files that might contain secrets
673- Areas handling user input or external data
676- Fast-bail: if Diff Scope contains no security-relevant files, output {"verdict":"APPROVE","notes":"out of scope: security"} immediately.
677- APPROVE: no security issues found.
678- APPROVE_WITH_NOTES: no blocking issues, but include advisory hardening opportunities in notes.
679- REVISE: vulnerabilities require changes; include file paths, severity, and remediation guidance in notes.
680- Final output: output exactly one trailing JSON object on the final line (no markdown fences, no surrounding prose):
681{"verdict":"APPROVE|APPROVE_WITH_NOTES|REVISE","notes":"..."}`